linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dave Hansen <dave.hansen@intel.com>
To: Andrea Arcangeli <aarcange@redhat.com>, Jiri Kosina <jikos@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>,
	Tim Chen <tim.c.chen@linux.intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Ingo Molnar <mingo@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Andi Kleen <ak@linux.intel.com>,
	Casey Schaufler <casey.schaufler@intel.com>,
	Asit Mallick <asit.k.mallick@intel.com>,
	Arjan van de Ven <arjan@linux.intel.com>,
	Jon Masters <jcm@redhat.com>, Waiman Long <longman9394@gmail.com>,
	LKML <linux-kernel@vger.kernel.org>,
	x86@kernel.org, Willy Tarreau <w@1wt.eu>
Subject: Re: [Patch v5 11/16] x86/speculation: Add Spectre v2 app to app protection modes
Date: Mon, 19 Nov 2018 13:33:08 -0800	[thread overview]
Message-ID: <4d102977-f516-e0b3-b728-e318e36c1449@intel.com> (raw)
In-Reply-To: <20181119193253.GE29258@redhat.com>

On 11/19/18 11:32 AM, Andrea Arcangeli wrote:
> The specs don't say if by making it immune from BTB mistraining, it
> also could prevent to mistrain the BTB in order to attack what's
> outside the SECCOMP jail. Probably it won't and I doubt we can rely on
> it even if some implementation could do that.

I just talked with Andi and Tim about this.  The *current* spec for
STIBP[1] states that it bidirectional: setting it on one thread provides
mitigation against any threads attacking any other thread on the core.

This means that it provides protection for victims being in and out of
SECCOMP jail when the attacker is either in or out of SECCOMP jail.

However, the current spec[1], differs from the *original* spec PDF that
Intel released last year.  Both are correct in that they describe all
current (Intel) implementations of STIBP.  However, the new
_description_ of STIBP is stronger than it was originally.

Here's the current description:

> Setting ... STIBP ... on a logical processor prevents the predicted
> targets of indirect branches on any logical processor of that core
> from being controlled by software that executes (or executed
> previously) on another logical processor of the same core.

1.
https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indirect-branch-predictors

  parent reply	other threads:[~2018-11-19 21:33 UTC|newest]

Thread overview: 64+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-17  1:53 [Patch v5 00/16] Provide task property based options to enable Spectre v2 userspace-userspace protection Tim Chen
2018-11-17  1:53 ` [Patch v5 01/16] x86/speculation: Clean up spectre_v2_parse_cmdline() Tim Chen
2018-11-17  1:53 ` [Patch v5 02/16] x86/speculation: Remove unnecessary ret variable in cpu_show_common() Tim Chen
2018-11-17  1:53 ` [Patch v5 03/16] x86/speculation: Reorganize cpu_show_common() Tim Chen
2018-11-17  1:53 ` [Patch v5 04/16] x86/speculation: Add X86_FEATURE_USE_IBRS_ENHANCED Tim Chen
2018-11-17  1:53 ` [Patch v5 05/16] x86/speculation: Disable STIBP when enhanced IBRS is in use Tim Chen
2018-11-17  1:53 ` [Patch v5 06/16] x86/speculation: Rename SSBD update functions Tim Chen
2018-11-17  1:53 ` [Patch v5 07/16] x86/speculation: Reorganize speculation control MSRs update Tim Chen
2018-11-17  1:53 ` [Patch v5 08/16] smt: Create cpu_smt_enabled static key for SMT specific code Tim Chen
2018-11-19 12:58   ` Thomas Gleixner
2018-11-19 20:50     ` Tim Chen
2018-11-19 14:57   ` Peter Zijlstra
2018-11-19 18:08     ` Tim Chen
2018-11-19 19:03       ` Thomas Gleixner
2018-11-19 19:25         ` Tim Chen
2018-11-17  1:53 ` [Patch v5 09/16] x86/smt: Convert cpu_smt_control check to cpu_smt_enabled static key Tim Chen
2018-11-19 12:48   ` Thomas Gleixner
2018-11-19 12:59     ` Thomas Gleixner
2018-11-17  1:53 ` [Patch v5 10/16] x86/speculation: Turn on or off STIBP according to a task's TIF_STIBP Tim Chen
2018-11-17  1:53 ` [Patch v5 11/16] x86/speculation: Add Spectre v2 app to app protection modes Tim Chen
2018-11-17  9:47   ` Jiri Kosina
2018-11-18 22:59     ` Jiri Kosina
2018-11-19 13:36       ` Thomas Gleixner
2018-11-19 13:49         ` Jiri Kosina
2018-11-19 13:51           ` Thomas Gleixner
2018-11-19 14:00             ` Jiri Kosina
2018-11-19 18:31               ` Tim Chen
2018-11-19 19:32           ` Andrea Arcangeli
2018-11-19 19:39             ` Jiri Kosina
2018-11-19 21:40               ` Andrea Arcangeli
2018-11-19 21:33             ` Dave Hansen [this message]
2018-11-19 23:16               ` Andrea Arcangeli
2018-11-19 23:25                 ` Dave Hansen
2018-11-19 23:45                   ` Andrea Arcangeli
2018-11-20  0:22                 ` Thomas Gleixner
2018-11-19 13:32   ` Thomas Gleixner
2018-11-20  0:08     ` Tim Chen
2018-11-20  0:30       ` Thomas Gleixner
2018-11-20  1:14         ` Tim Chen
2018-11-20  1:17         ` Andi Kleen
2018-11-19 15:00   ` Thomas Gleixner
2018-11-19 18:27     ` Tim Chen
2018-11-19 18:31       ` Jiri Kosina
2018-11-19 20:21   ` Thomas Gleixner
2018-11-19 22:44     ` Tim Chen
2018-11-19 20:46   ` Thomas Gleixner
2018-11-19 20:55     ` Jiri Kosina
2018-11-19 21:12       ` Thomas Gleixner
2018-11-19 22:48       ` Tim Chen
2018-11-19 23:01         ` Thomas Gleixner
2018-11-19 23:23           ` Jiri Kosina
2018-11-20  0:00             ` Thomas Gleixner
2018-11-20  0:24               ` Tim Chen
2018-11-19 23:39           ` Dave Hansen
2018-11-19 23:49             ` Jiri Kosina
2018-11-20  0:02               ` Thomas Gleixner
2018-11-17  1:53 ` [Patch v5 12/16] x86/speculation: Create PRCTL interface to restrict indirect branch speculation Tim Chen
2018-11-17  9:53   ` Jiri Kosina
2018-11-19 18:29     ` Tim Chen
2018-11-17  1:53 ` [Patch v5 13/16] security: Update speculation restriction of a process when modifying its dumpability Tim Chen
2018-11-17  1:53 ` [Patch v5 14/16] x86/speculation: Use STIBP to restrict speculation on non-dumpable task Tim Chen
2018-11-17  1:53 ` [Patch v5 15/16] x86/speculation: Update comment on TIF_SSBD Tim Chen
2018-11-17  1:53 ` [Patch v5 16/16] x86: Group thread info flags by functionality Tim Chen
2018-11-17  9:34 ` [Patch v5 00/16] Provide task property based options to enable Spectre v2 userspace-userspace protection Jiri Kosina

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4d102977-f516-e0b3-b728-e318e36c1449@intel.com \
    --to=dave.hansen@intel.com \
    --cc=aarcange@redhat.com \
    --cc=ak@linux.intel.com \
    --cc=arjan@linux.intel.com \
    --cc=asit.k.mallick@intel.com \
    --cc=casey.schaufler@intel.com \
    --cc=dwmw@amazon.co.uk \
    --cc=jcm@redhat.com \
    --cc=jikos@kernel.org \
    --cc=jpoimboe@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=longman9394@gmail.com \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=thomas.lendacky@amd.com \
    --cc=tim.c.chen@linux.intel.com \
    --cc=w@1wt.eu \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).